Thousands of industrial routers vulnerable to command injection flaw | CyberScoop<\/title> <meta name=\"description\" content=\"The vulnerability, found in versions of Four-Faith routers, appears to have been exploited in the wild and has been connected to attempted infections of Mirai.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/iot-command-injection-industrial-routers-four-faith-mirai\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Thousands of industrial routers vulnerable to command injection flaw \"> <meta property=\"og:description\" content=\"The vulnerability, found in versions of Four-Faith routers, appears to have been exploited in the wild and has been connected to attempted infections of Mirai.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/iot-command-injection-industrial-routers-four-faith-mirai\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-12-30T19:55:10+00:00\"> <meta property=\"article:modified_time\" content=\"2024-12-30T19:55:12+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82992\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82992\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fiot-command-injection-industrial-routers-four-faith-mirai%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fiot-command-injection-industrial-routers-four-faith-mirai%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82992 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/iot-command-injection-industrial-routers-four-faith-mirai\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.316765578635\">\n<div class=\"single-article__header-content\" readability=\"35.47247706422\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/iot-command-injection-industrial-routers-four-faith-mirai\/\"> <span>Uncategorized<\/span> <\/a> <\/li>\n<\/ul>\n<p> The vulnerability, found in versions of Four-Faith routers, appears to have been exploited in the wild and has been connected to attempted infections of Mirai. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82992\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg 5422w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> On Dec. 27, VulnCheck detailed the vulnerability, tracked as CVE-2024-12856, wherein an attacker can leverage default credentials in Four-Faith F3x24 and F3x36 routers to remotely inject commands into the operating system. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"30.196428571429\"><body readability=\"61.221176470588\"><\/p>\n<p>Thousands of industrial routers from a Chinese telecommunications equipment manufacturer are vulnerable to a post-authentication vulnerability, with indications it is already being exploited in the wild to infect devices with Mirai malware.<\/p>\n<p>On Dec. 27, VulnCheck detailed the vulnerability, tracked as<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-12856\"> CVE-2024-12856<\/a>, wherein an attacker can leverage default credentials in Four-Faith F3x24 and F3x36 routers to remotely inject commands into the operating system. <\/p>\n<p>Meanwhile, a<a href=\"https:\/\/viz.greynoise.io\/ip\/178.215.238.91\"> malicious IP<\/a> was observed attempting to leverage the vulnerability. VulnCheck Chief Technology Officer Jacob Baines wrote that his team identified the same user agent referenced in a November blog by DucklingStudio attempting to use the vulnerability to deploy a different malware payload.<\/p>\n<p>Baines also posted a<a href=\"https:\/\/x.com\/Junior_Baines\/status\/1872736499516731885\"> video<\/a> demonstration of the flaw being exploited on X.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The vulnerability appears to be connected to the spread of a variant of Mirai, the infamous malware and botnet known to target Internet of Things devices. DucklingStudio used a honeypot to <a href=\"https:\/\/ducklingstudio.blog.fc2.com\/blog-entry-392.html#google_vignette\">detect the malware<\/a> on Nov. 9, and an update on Dec. 28 explicitly connected it to the listed CVE for Four-Faith\u2019s industrial routers.<\/p>\n<p>Variants of Mirai \u2014first observed in 2016 and originally written by<a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2017\/12\/mirai-botnet-perpetrators-plead-guilty\/228386\/\"> a group of teenagers<\/a> to create botnets \u2014 remain one of the most popular forms of malware attacking IoT devices worldwide. According to Zscaler, Mirai was identified<a href=\"https:\/\/www.zscaler.com\/campaign\/threatlabz-mobile-iot-ot-report\"> in over a third<\/a> of all IoT malware attacks between June 2023 and May 2024, far outpacing other malware families, while more than 75% of blocked IoT transactions were linked to the malicious code.<\/p>\n<p>VulnCheck wrote up a rule for detecting instances of infected routers using the open-source threat detection tool Suricata:<\/p>\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw.png?w=640&ssl=1\" alt><figcaption class=\"wp-element-caption\">Detection rule for CVE-2024-12856 affecting Four-Faith industrial routers (Source: VulnCheck)<\/figcaption><\/figure>\n<p>According to Censys, there are at least 15,000 connected routers potentially vulnerable to the flaw, and VulnCheck left open the possibility that additional router products may be affected. The National Institute of Standards and Technology\u2019s National Vulnerability Database lists the severity of the bug at 7.2 and notes that firmware version 2.0 (and possibly others) allows for authenticated and remote command injection attacks over HTTP.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The listed CVE does not yet include details about patching or remediation. Baines noted in his blog that VulnCheck notified Four-Faith of the vulnerability and affected routers on Dec. 20, and directed further questions about remediation to the company. Four-Faith did not return a request for comment sent through its website prior to publication.<\/p>\n<p>According to the company\u2019s website, Four-Faith is headquartered in Xiamen, a city in the Southeastern province of Fujian, China. It specializes in manufacturing industrial routers, Internet of Things devices, modems and other wireless communications technologies, and claims to have exported its technologies to over 100 countries.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5507246376812\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/iot-command-injection-industrial-routers-four-faith-mirai\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thousands of industrial routers vulnerable to command injection flaw |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1690,2815,1027,1,643],"tags":[1692,2822,1029,325,645],"class_list":["post-6759","post","type-post","status-publish","format-standard","hentry","category-internet-of-things-iot","category-routers","category-threat-detection","category-uncategorized","category-vulnerabilities","tag-internet-of-things-iot","tag-routers","tag-threat-detection","tag-uncategorized","tag-vulnerabilities"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/internet-of-things-iot\/\" rel=\"category tag\">Internet of Things (IoT)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/routers\/\" rel=\"category tag\">routers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-detection\/\" rel=\"category tag\">threat detection<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a>","tag_info":"vulnerabilities","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6759"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6759\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6759,"date":"2024-12-30T13:55:10","date_gmt":"2024-12-30T19:55:10","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82992"},"modified":"2024-12-30T13:55:10","modified_gmt":"2024-12-30T19:55:10","slug":"thousands-of-industrial-routers-vulnerable-to-command-injection-flaw","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/30\/thousands-of-industrial-routers-vulnerable-to-command-injection-flaw\/","title":{"rendered":"Thousands of industrial routers vulnerable to command injection flaw\u00a0"},"content":{"rendered":"